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Abstract 

We revisit a classic coordination problem from the perspective of mechanism design: how 
can we coordinate a social welfare maximizing flow in a network congestion game with selfish 
players? The classical approach, which computes tolls as a function of known demands, fails 
when the demands are unknown to the mechanism designer, and naively eliciting them does not 
necessarily yield a truthful mechanism. Instead, we introduce a weak mediator that can provide 
suggested routes to players and set tolls as a function of reported demands. However, players 
can choose to ignore or misreport their type to this mediator. Using techniques from differential 
privacy, we show how to design a weak mediator such that it is an asymptotic ex-post Nash 
equilibrium for all players to truthfully report their types to the mediator and faithfully follow 
its suggestion, and that when they do, they end up playing a nearly optimal flow. Notably, our 
solution works in settings of incomplete information even in the absence of a prior distribution on 
player types. Along the way, we develop new techniques for privately solving convex programs 
which may be of independent interest. 
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1 Introduction 


Large, atomic traffic routing games model the common scenario in which n agents (say, residents 
of a city) must choose paths in some graph (the road network) to route a unit of flow (drive to 
work) between their target source/sink pairs. In aggregate, the decisions of each of these agents 
cause congestion on the edges (traffic), and each agent experiences a cost equal to the sum of the 
latencies of the edges she traverses, given the decisions of everyone else. The latencies on each edge 
are a function of the congestion on that edge. 

This widely studied class of games presents several well known challenges: 

1. First, for the social welfare objective, the price of anarchy is unboundedly large when the 
latencies can be arbitrary convex functions. 

2. Second, in atomic routing games, equilibria are not unique, and hence equilibrium selection 
is an important problem. 

3. Finally, as in most large games, players will be generally unaware of the types of their oppo¬ 
nents, and so it is important to understand these games in settings of incomplete information. 

One way to address the first challenge is to introduce carefully selected tolls on the edges, 
which modifies the game and decreases the price of anarchy. Indeed, so called marginal cost tolls 
make the socially optimal routing a Nash equilibrium. The marginal cost toll on each edge charges 
each agent the cost that she imposes on all other agents. However, in atomic congestion games 
with marginal cost tolls, the socially optimal routing is not necessarily the only Nash equilibrium 
routing, and so the price of anarchy can be larger than 1, and the coordination problem is still not 
solved. Moreover, because it is difficult to charge agents tolls as a function of what others are doing 
(as the marginal cost tolls do), there is a large literature that considers the problem of finding fixed 
tolls that induce the optimal routing, under various conditions Cole et al. (2003); Fleischer et al. 
(2004); Karakostas and Kolliopoulos (2004); Fleischer (2005); Swamy (2007); Fotakis et al. (2010) 

This literature, however, assumes the agents’ source/sink pairs are known, and computes the 
tolls as a function of this information. In this paper we instead take a mechanism design approach— 
the demands of the agents must be elicited, and agents may misrepresent their demands if it 
is advantageous to do so. Compared to standard mechanism design settings, our mechanism is 
somewhat restricted: it can only set anonymous tolls, and cannot require direct payments from 
the agents, and it also cannot force the agents to take any particular route. Because of these 
limitations, standard tools like the VCG mechanism do not apply. Instead, we approach the problem 
by introducing a weak mediator which also solves the 2nd and 3rd problems identified above—it 
solves the equilibrium selection problem, even in settings of incomplete information. The solutions 
we give are all approximate (both in terms of the incentives we guarantee, and our approximation 
to the optimal social welfare), but the solution approaches perfect as the game grows large. 

Informally, a weak mediator is an intermediary with whom agents can choose to interact with. 
This leads to a new mediated game , related to the original routing game. In our setting, the weak 
mediator elicits the types of each agent. Based on the agents reports, it fixes constant tolls to 
charge on each edge, and then suggests a route for each agent to play. However, agents are free 
to act independently of the mediator. They need not report their type to it honestly, or even 
report a type at all. They are also not obligated to follow the route suggested by the mediator, 
and can deviate from it in arbitrary ways. Our goal is to design a mediator that incentivizes “good 
behavior” in the mediated game—that agents should truthfully report their type to the mediator, 
and then faithfully follow its suggestion. Moreover, we want that when agents do this, the resulting 
routing will be socially optimal. 
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Our main result is that this is possible in large routing games with convex loss functions. By 
large, we mean both that the number of players n is large, and that the latency functions are 
Lipschitz continuous—i.e. that no single agent can substantially affect the latency of any edge via a 
unilateral deviation. We give a weak mediator that makes “good behavior” an approximate ex-post 
Nash equilibrium—i.e. a Nash equilibrium in every game that might be induced by realizations 
of the agents types. This is an extremely robust solution concept that applies even when agents 
have no distributional knowledge of each other’s types. In the limit as n goes to infinity, the 
approximate equilibrium becomes exact. The mediator also implements an approximately optimal 
routing, in that the welfare of the suggested routing is suboptimal by an additive term that is 
sublinear in n. Hence, if the cost of the optimal routing grows linearly, or nearly linearly in n, then 
the approximately optimal flow achieves a fraction of the optimal social welfare that is arbitrarily 
close to 1. 

1.1 Our Techniques and Main Results 

At a high level, the approach we take is to design a mediator which takes as input the reported 
source/destination pairs of each agent, and as a function of those reports: 

1. Computes the optimal routing given the reported demands, and 

2. Computes fixed tolls that make this routing a Nash equilibrium, and finally 

3. Suggests to each player that they play their part of this optimal routing. 

However, implementing each of these steps straightforwardly does not make good behavior an 
equilibrium in general. Agents may hope to gain in two ways by misreporting their type: they 
may hope to change the tolls charged on the path that they eventually take, and they may hope 
to change the algorithm’s suggestions to other players, to change the edge congestions. Simply 
because the game is large, and hence each player has little direct effect on the costs of other players 
does not necessarily mean that no player’s report can have large effect on an algorithm which is 
computing an equilibrium (see e.g. Kearns et al. (2014) for an example). 

To address this problem, we follow the approach taken in Kearns et al. (2014); Rogers and Roth 
(2014) and compute the optimal routing and tolls using joint differential privacy. Informally, joint 
differential privacy guarantees that if any agent unilaterally misreports her demand, then it has 
only a small effect on the routes taken by every other agent , as well as on the tolls. (It of course 
has a very large effect on the route suggested to that agent herself, since she is always given a 
route between her reported source/sink pairs!) As we show, this is sufficient to guarantee that 
an agent cannot benefit substantially by misreporting her demand. Assuming the other agents 
behave honestly—meaning they report their true demand and follow their suggested route—then 
the fact that the algorithm also is guaranteed to compute a routing which forms an approximate 
equilibrium of the game, given the tolls, guarantees that agents cannot do substantially better than 
also playing honestly, and playing their part of the computed equilibrium. 

In order to do this, we need to develop new techniques for convex optimization under joint 
differential privacy. In particular, in order to find the socially optimal flow privately, we need the 
ability to privately solve a convex program with an objective that is not linearly separable among 
players, and hence one for which existing techniques Hsu et al. (2014b) do not apply. 

We now informally state the main theorem of this paper. It asserts that there is a mediator that 
incentivizes good behavior as an ex-post Nash equilibrium, while implementing the optimal flow. 
Here we assume that the latency functions on the edges are bounded by the number of players n 


4 


and are Lipschitz continuousalthough our formal theorem statement gives more general parameter 
tradeoffs. 

Theorem 1.1 (Informal). For large 1 routing games with n players and m edges, there exists a 
mediator M such that good behavior is an r] eq -approximate Nash equilibrium in the mediated game 
where 

heq = O ^m 3//2 n 4//5 ^ 

and when players follow good behavior, the resulting flow is an r) ovt -approximately optimal average 
flow for the original routing game where 

ho P t = O (mn A/5 ^j . 


To interpret this theorem, let us write OPT to denote the average player latency in the socially 
optimal flow. Note that in this parameter regime (latency functions which are bounded by n and 
Lipschitz), if the value OPT increases at a rate faster than n 4 / 5 as the population n grows, then 
our mediator yields a flow that obtains average latency (1 + o n (l)) • OPT. 2 We view this condition 
on OPT as very mild. For example, if the network is fixed and all of the latency functions have 
derivatives bounded strictly away from zero, then the optimal average latency will grow at a rate of 
fl(n). Our results hold even when the optimal average latency grows sublinearly. Similarly, in this 
setting, for a 1 — o n (l) fraction of individuals the latency of their best response route also grows 
at a rate of O(n), and hence our mediator guarantees that for a (1 — o n (l))-fraction of individuals, 
they are playing an (1 — o n (l))-approximate best-response (i.e. they cannot decrease their latency 
by more than a 1 — o n (l) multiplicative factor by deviating from the mediator’s suggestion). 

1.2 Related Work 

There is a long history of using tolls to modify the equilibria in congestion games (see e.g. Beckmann et al. 
(1956) for a classical treatment). More recently, there has been interest in the problem of com¬ 
puting fixed tolls to induce optimal flows at equilibrium in various settings, usually in non-atomic 
congestion games (see e.g. Cole et al. (2003); Fleischer et al. (2004); Karakostas and Kolliopoulos 
(2004); Fleischer (2005); Swamy (2007); Fotakis et al. (2010) for a representative but not exhaustive 
sample). These papers study variations on the problem in which e.g. tolls represent lost welfare 
Cole et al. (2003), or in which agents have heterogenous values for money Fleischer et al. (2004), 
or when agents are atomic but flow is splittable Swamy (2007), among others. Tolls in atomic 
congestion games have received some attention as well (e.g. Caragiannis et al. (2006)), though to 
a lesser degree, since in general atomic congestion games, tolls do not suffice to implement the 
optimal flow as the unique equilibrium). These works all assume that agent demands are known, 
and do not have to be elicited from strategic agents, which is where the present paper departs from 
this literature. Recently, Bhaskar et al. Bhaskar et al. (2014) consider the problem of computing 
tolls in a query model in which the latency functions are unknown (demands are known), but not 
in a setting in which agents are assumed to be behaving strategically to manipulate the tolls. 

Modifying games by adding “mediators” is also well studied, although what exactly is meant 
by a mediator differs from paper to paper (see e.g. Monderer and Tennenholtz (2003, 2009); 
Rozenfeld and Tennenholtz (2007); Ashlagi et al. (2009); Peleg and Procaccia (2010) for a represen¬ 
tative but not exhaustive sample). The “weak mediators” we study in this paper were introduced in 

Mhe formal notion of largeness we require is detailed in Assumption 2.3. 

2 Here, o ra ( 1) denotes a function of n that approaches 0 as n —>• oo. 
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Kearns et al. (2014); Rogers and Roth (2014), who also use differentially private equilibrium com¬ 
putation to achieve incentive properties. Our work differs from this prior work in that Kearns et al. 
(2014); Rogers and Roth (2014) both seek to implement an equilibrium of the given game, and hence 
do not achieve welfare guarantees beyond the price of anarchy of the game. In contrast, we use tolls 
to modify the original game, and hence implement the socially optimal routing as an equilibrium. 

The connection between differential privacy, defined by Dwork et al. (2006), and mechanism 
design was first made by McSherry and Talwar (2007), who used it to give improved welfare guar¬ 
antees for digital goods auctions. It has since been used in various contexts, including to design 
mechanisms for facility location games and general mechanism design problems without money 
Nissim et al. (2012). The connection between joint differential privacy and mechanism design 
(which is more subtle, and requires that the private algorithm also compute an equilibrium of 
some sort) was made by Kearns et al. (2014) in the context of mediators, and has since been 
used in other settings including computing stable matchings Kannan et al. (2015), aggregative 
games Cummings et al. (2014), and combinatorial auctions Hsu et al. (2014b). 

2 Model 

2.1 The Routing Game Problem 

In this section we introduce the atomic unsplittable routing game problem that we study. An 
instance of a routing game T = ( G , l, s) is defined by 

• A graph G = ( V,E ). We use m = \E\ to denote the number of edges. 

• A latency function £ e : M>o —>• M>o for each edge e € E. Each latency function maps the 
number of players who send flow along that edge to a non-negative loss. 

• A set of n source-destination pairs s = (si,...,s n ). Each pair s* = (sj,sf) G S = V x V 
represents the demand of player i. We use n to denote the number of players. 

The objective is to (approximately) minimize the total latency experienced by all the players 
in the network. Let .F(s) = (.F(si), • • • ,T(s n )) be the set of feasible individual flows for demand s 

and T = {J-'(s) : s € 5} be the set of all feasible individual flows. Notice that an element of J-(s) 

is a vector of n separate flows, one for each player. That is, an individual flow is specified bynxm 
variables representing the amount of flow by each player routed on each edge. Specifically, given a 
graph G, F{ s) is the set of unsplittable flows x = (xi,e)ie[n],ee£ € {0, l} nxm such that 

f 1 u = sj 

bi,u = < -1 u = sj (1) 

[ 0 else 

bi : u + ^ ^ ^ ^ 'tfu G V Vf G [n] (2) 

v:(u,v)GE v:(v,u)£E 

For a given routing game instance T = (G, £, s), we seek a flow x G J(s) that minimizes the average 
latency 0(x) 


'Vi : e * £-e 

i =1 e&E 


*(-)■■= 7. 


E 

i=l 


(3) 
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We will sometimes write OPT(s) = </>(x*), were x* is the minimum average cost flow for the 
routing game T = (G,£, s) when the graph G and latencies £ are known from context. In this work 
we settle for an approximately minimum average cost flow, which we define below. 

Definition 2.1 (Approximately Optimal Flow). For a routing game T, and parameter r) op t > 0, a 
flow x is 77 0 pt-approximately optimal if x G -F(s) and 

0(x) < OPT(s) + T] opt . 

We are interested in strategic players that want to minimize their individual cost 

<M X ) = Xi ’ e ' M x i’ e • 

e6 E \j=l / 

We thus define an approximate Nash flow. 

Definition 2.2 (Approximate Nash Flow). For a routing game T and parameter r] eq > 0, a flow x 
is an r] eq -approximate Nash flow if x € -F(s) and for every x t G IF(si) 

</>i(*) < +r)eq MXi G J'(Si). 

When x is a 0-approximate Nash flow, we simply say that it is a Nash flow. 

Throughout, we will make the following assumptions about the latency functions. 

Assumption 2.3. For every edge e € E, the latency function £ e is (1) non-decreasing, (2) convex, 
(3) twice differentiable, (4) bounded by n (i.e. £ e (n) < n), and (5) 7 -lipschitz (i.e. | £ e (y) — £ e (y')\ < 
7 I y — y'\ for all e G E) for some constant 7 > 0. 

Item 1 and 2 are natural and extremely common in the routing games literature. Item 3 is a 
technical condition used in our proofs that can likely be removed. Item 4 and 5 are the “largeness 
conditions” that ensure no player has large influence on any other’s payoff. If the Lipschitz constant 
is zero, then we can choose an upper bound parameter 7 > 0 in our analysis. 

2.2 Mediators 

Given an instance T = (G,£, s), we would like the players to coordinate on the social-welfare 
maximizing flow x* where OPT(s) = <^(x*). There are two problems: the first is that the optimal 
flow is generally not a Nash equilibrium, and the second is that even with knowledge of everyone’s 
demands, Nash equilibria are not unique and coordination is a problem. The classical solution to 
the first problem is to have an overseer impose edge tolls r, which are a function of the demands s 
of each player. This makes x* a Nash flow for the routing game instance T T = (G, £ T , s) where 

tl(y) = 4(2/) + r e . 

However the tolls that cause the optimal flow to be an equilibrium depend on the demands, 
and so this approach fails if the overseer does not know s. A simple solution would be to elicit 
the demands from the players, but since the correct tolls depend on the demands, naively eliciting 
them may not lead to a truthful mechanism. 

We solve this problem, as well as the equilibrium selection problem mentioned above, by intro¬ 
ducing a mediator that takes as input the demand of each player and outputs a set of tolls for each 


7 


edge, together with a suggested route for each player to use. Ideally, the players will report their 
demands truthfully, the aggregate of the routes suggested by the mediator will be a social-welfare 
maximizing flow x*, agents will faithfully follow their suggestion, and the tolls will be chosen to 
make x* an (approximate) Nash flow. However, players have the option to deviate from this desired 
behavior in several ways: they may not report their demand to the mediator at all, might report a 
false demand, or might not follow the mediator’s suggestion once it is given. Our goal in designing 
the mediator is to guarantee that players never have significant incentive to deviate from the desired 
behavior described above. 

Formally, introducing the mediator gives rise to a modified game Tm = (G,£,s,M). The 
mediator is an algorithm M : {_l_U5} n —» F n x M m . The input from each player is either a demand 
oral symbol indicating that the player opts out. The output is a set of routes, one suggested to 
each player, together with a collection of tolls, one for each edge. We write the output as 

M(s) = ((Mf( S )), £H ,M'( S )). 

The edge tolls M r (s) = (Mf (s)) e£ E that M outputs will enforce the optimal flow induced by the 
reported demands. Note that the tolls that M outputs to each player are the same (i.e. the players 
are not charged personalized tolls; rather there is a single toll on each edge that must be paid by 
any player using that edge). 

In Tm each player can opt-out of using the mediator, denoted by the report _L, and then select 
some way to route from his source to his destination, or a player can opt-in to using the mediator, 
but not necessarily reveal her true demand, and then the mediator will suggest a path x, to route 
her unit flow from the reported source to the destination. Players are free to follow the suggested 
action, but they can also use the suggestion as part of an arbitrary deviation, i.e. they can play 
any action /(xj) for any / : F —»■ F. Thus, the action set A for any player for the game instance 
Tm is A = A\ U A 2 where A\ = {(s', /) : s' € S, f : F —>• F} and A 2 = {(X, /) : / constant }. 

We next define the cost function for each player in Tm, but first we must present some notation. 
Let F be the set of possible functions fi : F F, where /,;(xj) = (fi !e {xi te )) e eE- We further 
write f e (x) = Yl?=i fi,e( x i,e) as the new congestion on edge e when players have deviated from x 
according to functions fi for [n]. We will consider only randomized algorithms, so our cost is 
an expectation over outcomes of M. More formally, the cost that each player experiences in 
Tm is defined as 


cj) M : S x [(1 U S) x F] n -> K 




\1 

S',f)):= E 

(x,t)~M( s') 

^ J fi,e( x i,e ) 

4 (/e(x)) +T e 

e&E 

V 4(/e( x )) / . 


where s* is player V s true source-destination pair. 

We are interested in designing mediators such that good behavior in the mediated game is an 
ex-post Nash equilibrium, which we define below. 

Definition 2.4 (Ex-Post Nash Equilibrium). A set of strategies {ct* : S — >• M}" =1 forms an ??- 
approximate ex-post Nash equilibrium if for every profile of demands s € S n , and for every player 
i and action a* € A: 

cj) M (Si , (cri(si),cr-i(s-i))) < (j) M (Si, (ai,a-i(s-i))) + rj. 

That is, it forms an ^-approximate Nash equilibrium for every realization of demands. 







Our goal is to incentivize players to follow good behavior —truthfully reporting their demand, 
and then faithfully following the suggested action of the mediator. Formally, the good behavior 
strategy for player i is = (sj, id) where s* is V s actual demand, and id: F —> T is the identity 

map. We write £* = Ci( s i) for the good behavior strategy. 

To accomplish this goal, we will design a mediator that is “insensitive” to the reported demand 
of each player. Informally, if a player’s reported demand does not substantially effect the tolls 
chosen by the mediator, or the paths suggested to other players, then a player has little incentive 
to lie about his demand (of course any mediator with this property must necessarily allow the path 
suggested to agent i to depend strongly on agent i’s own reported demand!). We capture this notion 
of insensitivity using joint differential privacy Kearns et al. (2014), which is defined as follows. 

Definition 2.5. (Joint Differential Privacy Kearns et al. (2014)) A randomized algorithm Ni : 

S n —> O n , where O is an arbitrary output set for each player, satisfies (e,J)-joint differential 
privacy if for every player i, every pair Si,s[ G S , any tuple S-i G 5 n_1 and any C 0 ra_1 , we 
have P [M{si, s_j)_; G B_f\ < e £ ■ P [A4 (s', s_;)_; € U_;] + S. 

Joint differential privacy (JDP) is a relaxation of the notion of differential privacy (DP) Dwork et al. 
(2006). We state the definition of DP below, both for comparison, and because it will be important 
technically in designing our mediator. 

Definition 2.6. (Differential Privacy Dwork et al. (2006)) A randomized algorithm A4 : S n —> O 
satisfies (e, ^-differential privacy if for any player i, any two Sj,s' G S, any tuple s_j G 5 n_1 , and 
any B C O we have P [A4(sj, S-f) G B] < e e ■ P [A4(s', S-f) G B] + 5. 

Note that JDP is weaker than DP, because JDP assumes that the output space of the algorithm 
is partitioned among the n players, and the output to player i can depend arbitrarily on the input 
of player i, and only the output to players j f i must be insensitive to the input of player i. This 
distinction is crucial in mechanism design settings—the output to player * is a suggested route for 
player i to follow, and thus should satisfy player i’s reported demand, which is highly sensitive to 
the input of player i. Also note that since our mediator will output the same tolls to every player, 
the tolls computed by the mediator must satisfy standard DP. 

A key property we use is that a JDP mediator that also computes an equilibrium of the un¬ 
derlying game gives rise to an approximately truthful mechanism. This result was first shown in 
Kearns et al. (2014); Rogers and Roth (2014), although for simpler models that do not include 
tolls. We now state and prove a simple extension of this result that is appropriate for our setting. 

Theorem 2.7. Given routing game T = (G,£, s) and upper bound U on the tolls, let M : (J_U5) n —>• 

T n x [0 ,U] m where M{ s') = (M- F (s'),M T (s')) ig | n j satisfies 

1. M is (e, 5)-joint differentially private. 

2. For any input demand profile s, we have with probability 1 — fj that x = (Mf (s))" =1 is an 

rj eq - approximate Nash flow in the modified routing game r r = s) where 

£f(y):=Uy)+Mf(s) Me G E. 

Then the good behavior strategy £ = (£i,...,£ n ) forms an rj- approximate ex-post Nash equilibrium 
in Tm = (G,£, s, M), where 

V = Veq + m(U + n)( 2s + f3 + 6). 
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Proof. We fix s € S n to be the true source destination of the players. We consider a unilateral 
deviation £'(sj) = (s',/') for player i to report s' and use /', which we write as £'. We write the 
modified cost function for player i in r r with tolls r e = Mf (s) to be 




eeE 


E- 

J =1 


y J,e 


+ T e 


We define the best response flow that player i of demand s,; can route given the flows of the other 
players to be 

BRJ (x_i) = argmin{0[(xj,x_j)} . 

Xi&T(si) 

We first condition on the event that M gives an ^-approximate Nash flow in r T . 




E 


(x,r)~M(s) (x,r)~M(s) 

We then use the fact that M is JDP. We write s' = (s^,s_j) 


'[ (xi, x_j)] < E UJ ( BRJ (x_j), x_j)] + rj eq 


<t> < e 

< 


£ i E 

(x,r)~M(s 


ffii (BRJ (x_j), x_j)]^ + m(U + n)5 + rj eq 
- . E [0[(Si?[(x_i),x_i)] +m(U + n) (2e + -5) + rj eq 

(x,r)~M( s') 

< E [^(/i(*i),x_i)] +m(U + n) {2s + d) + rj eq 

(x,r)~M( s') 

The first inequality comes from using the fact that M is (e, 5)-JDP and the fact that <pj (x) < 
m(U + n). The second inequality uses the fact that e £ < l + 2e for e < 1. The last inequality follows 
from the fact that player i can only do worse by not best responding to the other players’ flows. 
Lastly, we know that M does not produce an ^-approximate Nash flow in r r with probability less 
than (3, which gives the additional /? term in the theorem statement. □ 

The rest of the paper will be dedicated to constructing such a mediator that satisfies the 
hypotheses in Theorem 2.7. We now state the main result of our paper. 

Theorem 2.8. For routing games T that satisfy Assumption 2.3 and parameter /3 > 0, there exists 
a mediator M : {T U S} n —>• J- n x [0, ny]" 1 such that with probability 1 — /3 good behavior forms an 
rj-approximate ex-post Nash equilibrium in T m where 

Tj = O (jn 3 / 2 n 4 / 5 

and the resulting flow from the good behavior strategy is r] op t-approximately optimal for 

Vopt = O (mn 4/5 
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3 Flow Mediator with Tolls 


We start by presenting a high level overview of the design of our algorithm. Our goal is to design a 
mediator that takes as input the demands, or source-destination pairs, s of the players and outputs 
a nearly optimal flow x* for T = (G,£, s) together with edge tolls r, such that the tolls are not 
heavily influenced by any single player’s report and no one’s report has major influence on the flow 
induced by the other players. Further, we need the tolls r to be carefully computed so that x* is 
also an approximate Nash flow in the instance T 7 " = (G,£ T , s). We construct such a mediator in 
the following way: 

1. We compute an approximately optimal flow x* subject to JDP, using a privacy preserving 
variant of projected gradient descent. This ends up being the most technical part of the paper 
and so we leave the details to Section 4 and give the formal algorithm P-GD in Algorithm 
6 . For the rest of this section we assume we have x*. 

2. Given x*, we need to compute the necessary tolls t such that players are approximately best 
responding in T T = (G, £ T , s) when playing x*. We compute r as a function of a noisy version 
of the edge congestion y induced by the flow x* so that f is DP. We give the procedure 
P-CON that computes y in Algorithm 2. We must be cautious at this step because x* is only 
approximately optimal (and the tolls are computed with respect to a perturbed version of 
the induced congestion), so there may be a few players that are not playing approximate best 
responses in r r . We call these players unsatisfied. 

3. We show that the number of unsatisfied players in r r with flow x* is small, so we can 
modify x* by having the unsatisfied players play best responses to the induced flow. Because 
the number of unsatisfied players was small, we can show that this modification does not 
substantially reduce the payoff of the other players. Therefore, if those players were playing 
approximate best responses before the modification, they will continue to do so after. The 
procedure P-BR, given in Algorithm 3, ensures every player is approximately best responding. 
The result is a slightly modified flow x which is nearly optimal in T and an approximate Nash 
flow in r r . 

4. The final output is then x and f. 

Our mediator FlowToll is formally given in Algorithm 1 and is composed of the subroutines 
described above. In FlowToll we are using P-GD as a black box that computes an a-approximate 
optimal flow. Theorem 4.10 shows that we can set 


a = O 



(5) 


The rest of this paper is dedicated to analyzing the subroutines of FlowToll. 

Remark 3.1. Throughout our discussion of the subroutines, we will sometimes say “player i 
plays...” or “player i best responds to...” to describe player i’s action in some flow computed 
by these subroutines. While these descriptions are natural, they could be slightly misleading. We 
want to clarify that our mediator mechanism is not interactive or online, and all the computation 
is done by the algorithm. The players will simply submit their private source-destination pairs and 
will only receive a suggested feasible path along with the tolls over the edges. 
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Algorithm 1 Flow Mediator with Tolls 

Input: A routing game instance F = (G,£, s); privacy parameter (e, 5); failure probability (3 
Output: Xi , a (sj, s 2 )-flow for each player i € [n], and a toll r e for each edge e € E 

procedure FlowToll(F, e, 6, (3) 

1 . Compute an a-approximately optimal flow 


x 


p-gd r 


e 5 (3 
’ 4’ 2’ 2 


2. Compute congestion y 4— P-C0N(x*, e/4) and tolls f 4— r*(y e ) where r*(-) is given in ( 6 ). 

3. Improve some players’ paths 


x 4 — P-BR r T ,y,x*,4 y/m.'ya + 


87 m 2 log(2m//3) 


return x and f 
end procedure 


3.1 Private Tolls Mechanism 

We show in this section that given an approximately optimal flow x* we can compute the necessary 
tolls f in a DP way. Ultimately, we want to compute constant tolls, but a useful intermediate step 
is to consider the following functional tolls, which are edge tolls that can depend on the congestion 
on that edge. Specifically, we define the marginal-cost toll r*: R —>■ R for each edge e € E to be 

T e(y) = (y- !)(4(y) -4(y-1)), (6) 

which gives rise to a different routing game T r = (G, £ T , s) with latency function defined as 
Z T e*{y) = 4(2/) + T*(y) for e G E. 

We first show that a marginal-cost toll enforces the optimal flow in an atomic, unsplittable 
routing game, and then show how to use this fact to privately compute constant tolls that ap¬ 
proximately enforce the optimal flow at equilibrium. Recall the classical potential function method 
Monderer and Shapley (1996) for congestion games that defines a potential function T : R raxm —>• R 
such that a flow x that minimizes T is also a (exact) Nash flow in r r * = (G,£ T *, s), where 

2/e 1/e 

®( x ) := = &(*) +T e (*)] » and y e = S £ j x i ^. (7) 

eeE i =1 eeE i =1 ie[n] 

Lemma 3.2. Let x* be the (exact) optimal flow in routing game T = (G,£, s), t/ien x* is a Nash 
flow in r r = (G, £ T , s) 

Proof. First, we show that n ■ 0(x) = T(x) where <fi is given in (3): 

2/e 2/e 

*w = EE +<(/)] = E E [<.(o + (/ -1)(4(*) - «* -1))] 

e i=l e i=l 

2/e 

= X] [*4(*) ~ (* - !)4(* - i)] = [j/e 4( 2 /e) - 04 ( 0 )] = y^y e 4(j/ e ) = « • 0(x). 

e j=l e e 
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Note that x* minimizes the potential function T. We know from Monderer and Shapley (1996) 
that the flow that minimizes the potential function 'I' is a Nash flow of the routing game r r * . Hence 
x* is a Nash flow. □ 

Since we only have access to an approximately optimal flow x*, we will compute the marginal- 
cost tolls based on x* instead. In order to release DP tolls, we compute them using a private version 
y e of the total edge congestion y e = Yli x i e output by P-CON (presented in Algorithm 2). 

Using a standard technique in differential privacy, we can release a private version of the edge 
congestion by perturbing the congestion on each edge with noise from an appropriately scaled 
Laplace distribution. Since the analysis is standard, we defer the details to Section A.l. Lastly, to 
get the constant tolls for the mediator FlowToll, we will evaluate the marginal-cost toll function 
on the perturbed edge congestion y: set f e = r*(y e ) for e € E. 


Algorithm 2 Private Congestion 
Input: Flow x, privacy parameter e 
Output: Aggregate flow y = ( y e )e&E 
procedure P-C0N(x, e) 
for each edge e € E do 

Let y e = J2i x i,e + Z e , where Z e ~Lap(m/e). 
if Ve > n then 

Ve<r- n. 

return y 

end procedure 


To show that the constant tolls f are private, we need to first show that the noisy congestion y 
output by P-CON is DP in the demands s. We will show later that P-GD which computes x* is JDP 
in s. We then use x* as input to P-CON, which we know is DP with respect to any flow input x. 
To bridge the two privacy guarantees, we rely on the following composition lemma (with proof in 
Appendix A.3) to show that y is DP in s. 

Lemma 3.3. Let Mj : S n —» X n be (ej, 5)-jointly differentially private. Further, let Md : X n —>• O 
be Ed- differentially private. If M : S n —>• O is defined as 

M(s) = M d (Mj{ s)) 

then M is (2 Ed + £j, 8)-differentially private. 

Now we are ready to establish the privacy guarantee of both y and r . 

Corollary 3.4. Given the approximately optimal flow x* computed from P-GD(T, e/4, <5/2, fi/2), 
the perturbed congestion y output by P-CON(x* ,e/4) and the constant tolls t = (T*(y e )) ee £ are 
(3 e/&, 8/2)-differentially private in the demands s. 

Proof. Note that x* is output by P-GD(r, e/4, 8/2, (3/2), so it is (e/4, <5/2)-JDP in s. Using analysis 
of the Laplace mechanism(Section A.l), we know that P-C0N(x*, e/4) is (e/4)-DP in x*. Therefore, 
the noisy congestion y output by the composition of these two functions is (3e/4, <5/2)-DP by 
Lemma 3.3. Since r is simply a post-processing of the noisy congestion y, we know that t is 
(3e/4, d/2)-DPby Lemma A.l. □ 


13 





3.2 Simultaneous Best Responses of Unsatisfied Players 

At this point of the mechanism, we have computed the approximately optimal flow x* and constant 
tolls f that define the tolled routing game T T . In this section, we show how to modify x* to obtain 
a new approximately optimal flow x that is also an approximate Nash equilibrium in the presence 
of the same constant tolls t. 

Recall from Lemma 3.2 that there is an exactly optimal flow x* and functional tolls r* such 
that x* is an exact Nash flow of the routing game under tolls r*. Our flow-toll pair (x*,f) differs 
from (x*,r*) in three ways. 

1. The flow x* is only approximately optimal. 

2. The tolls f we impose on the edges are constants while the functional tolls t* may be functions 
of the congestion. 

3. Tolls r are derived from noisy congestion y, not the exact congestion y* = JTx*. 

As a result, there may be some unsatisfied players who could significantly benefit from deviating 
from x*. We obtain the new approximate Nash flow x by rerouting the unsatisfied players in x* 
along their best response route in the flow x* with constant edge tolls f. To analyze the new flow 
x, we show that there are not too many unsatisfied players. Thus, even if we modify the routes of 
all of the unsatisfied players, the overall congestion does not change too much, and thus the players 
who were previously satisfied remain satisfied. 

To determine if a player is unsatisfied and what their best response is, we need to know the 
costs they face for different paths, which depends on the flow y* = ^Ax*. However, to ensure 
privacy, we only have access to a perturbed flow y. Thus, we will define unsatisfied players relative 
to this noisy flow y computed by P-CON. More generally we can define the best response function 
of a player relative to any flow y. 

Given any congestion y (not necessarily even a sum of feasible individual flows) and routing 
game T = ( G , £, s), we define c Xi (y) to be player z’s cost for routing on path x; under the congestion 
of y, that is 

Pxi(y) = x i,e ■ 4(y e )- (8) 

e&E 

Note that Li c Xi (y) = n<f>(x.) and c Xi (y) = <^(x) when y e = Ya =i x i,e for e € E. We then define 
the condition for being unsatisfied with respect to congestion y as follows. 

Definition 3.5. Given congestion y and routing game T = (G,£, s), we say that a player i with 
Sj-flow Xj is p-unsatisfied with respect to y if he could decrease his cost by at least p via a unilateral 
deviation. That is, there exists a path x( £ J-(si) such that 

Cx'(y') < Pxi(y) - p 

where y' = y — Xj + x( is the flow that would result from player i making this deviation. If player i 
is not p-unsatisfied, then we say i is p-satisfied. We will sometimes omit y if it is clear from context. 

The next lemma bounds the number of unsatisfied players in x* in the routing game T T = 
(G, £ T f, s) with respect to the noisy congestion y • 

Lemma 3.6. Let x* be an a-approximately optimal flow, y = P-CON(x.*,e ) be the noisy aggregate 
flow, and t = r*(y) be a vector of constant tolls. Then with probability at least 1 — /3 for ft > 0, there 
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are at most yjnaf4rrvy players who are ( £ -unsatisfied players in T r with respect to the congestion 

y, for 

7 m 2 log (m//3) 


( £ = Ay/mn'ya + 8 - 

C. 

We will now give a rough sketch of the proof, . The full proof appears in Appendix B. 


(9) 


Proof Sketch. First, we will consider the routing game T T under the (functional) marginal-cost 
toll. We will also assume for now that we have the exact congestion y* = x*. Recall from 
Lemma 3.2 that the potential function T for this game is equal to the total congestion cost n ■ <f. 
Since x* is an a-approximate optimal flow, it also approximately minimizes T up to error n ■ a. 
The construction of 'L is such that if a player who is p-unsatisfied with respect to y* plays her 
best response, then T decreases by at least p. Therefore the number of p-unsatisfied players with 
respect to y* is at most na/p. Here we are intentionally being slightly imprecise to ease exposition. 
See the full proof for details. 

Now, consider the routing game T T = (G, £ + r, s) that arises from using the constant tolls 
r = r*(y*). Note that under functional tolls r*, when a player best responds, the tolls may change, 
however under constant tolls r the tolls do not change. This might increase the number of players 
who can gain by deviating. However, notice that when one player changes their route, the tools r* 
and r e can only change by 7 , since r* is 7 -Lipschitz. Thus changing from tolls r* to r can only 
change the cost any player faces on any route by my. Therefore, we can argue that the number of 
(p + 2 m 7 )-unsatisfied players with respect to y* in the game T r is also at most na/p. 

The last issue to address is that we compute the tolls from the noisy congestion y instead of 
the exact congestion y*. This has two effects: 1) the constant tolls t = r*( y) are different from 
the constant tolls r = T*(y*) analyzed above and 2) we want to measure the number of unsatisfied 
players with respect to y instead of y*. We can address both of these issues using the fact that the 
noise is small on every edge. Therefore \y e — y e \ is small, and since r* is Lipschitz, |r e — f e | is small 
as well. In the full proof we carefully account for the magnitude of the noise and its effect on the 
cost faced by each player to obtain the guarantees stated in the lemma. □ 

We have so far shown that there might be a few players that are unsatisfied with their current 
route in T r = ( G,£ + f,s) when they only know a perturbed version of the congestion y. We 
then let these unsatisfied players simultaneously change routes to the routes with the lowest cost 
(according to the cost c Xi (y)). This procedure, P-BR, is detailed in Algorithm 3. 

We are now ready to show that the final flow assignments x resulting from the procedure 
P-BR(r r ,x',C £ ), where x* is an a-approximate optimal flow in T and ( £ is given in (9), forms an 
approximate Nash equilibrium in the game r r and remains an approximately optimal flow for the 
original routing game instance T. 

Lemma 3.7. Fix any a > 0 and /3,e € (0,1). Let T = (G,£, s) be a routing game and x* be an a- 
approximately optimal flow in T. Let x = P-BR(T T , y, x*, ( £ ) for f £ given in (9), y = P-CONfx*, e), 
and t = r*(y). Then with probability at least 1 — fl, ~k is an p eq (a)-Nash flow in r r = ( G,£ + f,s) 
where 

m 2 log (m/(3) 


p e q(a) = O \/mna + 


and x is an r} op t{a)-approximate Nash flow in T where 

Vopt (of) = O (a + y/mna ) 


( 10 ) 


( 11 ) 
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Algorithm 3 Private Best Responses 

Input: Routing game instance T, congestion y, flow assignment x, satisfaction parameter £ 
Output: New flow assignment x 

procedure P-BR(r, y, x, £) 

Let x x 

for each player i € [n] do 

if i with flow x ? ; is ^-unsatisfied with respect to congestion y in game T then 
Replace x,; by the route with the lowest cost given congestion y. 

Xj <— argmax|c x / (y 7 )| (breaking ties arbitrarily) 

Where y' e = y e - 1 if x^ e = 1, x\ e = 0; y' e = y e + 1 if x ifi = 0, x' i e = 1; else y e = y' e . 

return x 
end procedure 


Proof. First, to show that x forms an approximate Nash flow, we need to argue that all players 
are approximately satisfied with respect to the actual congestion y = JTxj. As an intermediate 
step, we will first show that all players in x are approximately satisfied with the input perturbed 
congestion y. 

By Lemma 3.6, we know that the number of £ e -unsatisfied players that deviate in our instanti¬ 
ation of P-BR is bounded by 

y/na/(2y/rn? y) = K. 

After these players’ joint deviation, the congestion on any path is changed by at most mK, so the 
total cost on any path is changed by at most m'yK = sjnmcr]/2. Therefore, the players that deviate 
are y/rnncry-satisfied in r r with respect to congestion y after the simultaneous moves. Similarly, 
the players that were originally £ e -satisfied in r r with congestion y remain (£ e + yTfTncryj-satisfied 
with y even after the joint deviations. 

From standard bounds on the tails of Laplace distribution (Lemma A.4), we can bound the 
difference between y and X^ x * : with probability at least 1 — (3, 

lly - XT x * H°° < 2mlog(m//3)/e 
1 

Since the number of players that deviate in P-BR is bounded by K , we could bound ||y — JT x'Hoq < 
K. By triangle inequality, we get 


lly - y lloo < 2 m log {m//3)/e + K. 

Since all players in x are (£ e + ^/mnayj-satisfied with congestion y, by Lemma B.4, we knowthat 
they are also ? 7 e g-satisfied with the actual congestion y, where 

„„ = 4 + v ^ + Li!hW« + 2 K lm = 12 t-" 2 i 

Hence, the flow x forms an r 7 eg -approximate Nash flow in game r T . To bound the cost of x, 
note that for each edge e, the number of players can increase by at most K. Let y* = x* , then 
for each edge, y e l e (ye) ~ yl^e ( y *) < n'yK + 717 = nK( 7 + 1). 
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Therefore, the average cost for x is 




- V] VeMye) < +mK( 7 +I) < OPT(s) + a + 

n n z ' 

e€E e&E 


y/rrvnqa 

2 


+ 


y/mna 

2^7 


This completes the proof. 


□ 


3.3 Analysis of FlowToll 

Now that we have analyzed the subroutines P-CON and P-BR along with computing the private 
tolls f, we are ready to analyze the complete mediator FlowToll. Note that in this analysis we 
will assume that the subroutine P-GD is a blackbox that is JDP and computes an approximately 
optimal flow in T. 

We first prove that the mediator FlowToll is JDP. This will give the first condition we require of 
our mediator in Theorem 2.7. A useful tool in proving mechanisms are JDP is the billboard lemma, 
which states at a high level that if amechanism can be viewed as posting some public signal (i.e. 
as if on “a billboard”) that is DP in the players’ demands, from which (together with knowledge of 
their own demand) players can derive their part of the output of the mechanism, then the resulting 
mechanism is JDP. 

Lemma 3.8 (Billboard Lemma Rogers and Roth (2014); Hsu et al. (2014a)). Let M : S n —>• O be 
an (e, 5)-differentially private mechanism and consider any function 9 : S x O —>• A. Define the 
mechanism M' : S n —>• A n as follows: on input s, M! computes o = M. (s), and then A4'(s) outputs 
to each i: 

M'(s)i = 9(si,o). 

M! is then ( e, 5)-jointly differentially private. 

We show that FlowToll is jointly differentially private via the billboard lemma. 

Theorem 3.9. For e,6,fi > 0, the procedure FlowTol l(r, e, 5, ft) in Algorithm 1 is ( e, 5)-joint 
differentially private in the player’s input demands s. 

Proof. In order to show JDP using the Billboard Lemma, we need to show that for each player 
i, the output flow Xj and toll vector f can be computed only based on Vs demands s t and some 
(e, <5)-DP signal. 

In Theorem 4.2, we show that the subroutine P-GD(r, e/4, S/2, fi/2) operates in the Billboard 
model, and can be computed from some (e/4, <5/2)-DP billboard signal A. 

Note that the output flow x,; for each player i produced by P-BR(r r , y, x*, Ce/a) J us t a 
function of the perturbed congestion y, x* and player Vs demand. Recall that we know that 
y = P-C0N(x*, e/4) is (3e/4, <5/2)-DP in s by Corollary 3.4. Therefore, the output flow x,; for each 
i is just a function of the (e, d)-DP signal (A, y), and Vs demand s*. Also, the tolls f are computed 
as a function only of y. Therefore, by the Billboard Lemma 3.8, the mediator FlowToll(r, e, 6, ff) 
satisfies (e, d)-JDP. □ 

Now we give the appropriate choices of the parameters (e, 5, (5) for FlowToll(r, e, 6, ff) that leads 
to our main result in the following theorem. This result follows from instantiating Theorem 2.7 
with a JDP algorithm that computes an approximately optimal flow x and tolls f such that x forms 
an approximate equilibrium in the routing game with tolls t . 
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Proof of Theorem 2.8. Given any routing game instance F = (G,£, s), we first show that FlowToll 
is a mediator that makes good behavior an ^-approximate Nash equilibrium of the mediated game 
r F iowToii for r/ = O (m 3 / 2 n 4 / 5 ) . 

We assume that P-GD(r, e/2, 5/2, (3/2) produces an a-approximate optimal flow x* with prob¬ 
ability 1 — (5 /2 (leaving the formal proofs to Theorem 4.2 and Theorem 4.10) where a is given in 
(5). Consider the instantiation of FlowToll(T, e, 5, /3) with 


£ = 



5 = n 2 , (3 = n 2 . 


Given the functional tolls t* defined in ( 6 ) and the fact that if we ever get an edge congestion 
y e > re from the output of P-CON then we round it down to re, so the edge tolls f e are never bigger 
than rry. Using our bound for r] eq (a ) in (10) and setting rj eq = rj eq (a ) where a is as above, from 
Theorem 2.7 we have with probability 1—fl the bound r/ < y eq +m(U +re)(2e+/3+(5) = O (m 3 ,/ 2 n 4 / 5 ). 

We then show that good behavior results in an ry op j-approximately optimal flow for the original 
routing game instance F, where 

rjopt = O (mn 4/5 ) . 

It then follows that rj opt = r) opt (a) from (11) and for a given in (5). □ 


4 Computing an Approximately Optimal Flow under JDP 

In this section we show how to compute an approximately optimal flow x* under joint differential 
privacy. We first consider a convex relaxation of the problem of minimizing social cost in the routing 
game instance (r,£, s). Let P R ( s) C [0, l] nxm be the set of feasible fractional flows (i.e. the convex 
relaxation of the set J~( s)). Then the optimal fractional flow is given by the convex program: 

min c(y) = - Y' y e 4(?le) 
re 

eG E 

such that x e 3F R {^) C [0, l] nxm 

n 

y e = ^2 x i,e Ve £ E, Vie [re] 
i= 1 

Note that the second derivative of y e l e (y) is 2 £' e (y e ) + Ue^eiVe)- Since £ e is assumed to be convex 
and nondecreasing, the second derivative is non-negative as long as y e > 0. Hence the objective 
function c of this program is indeed convex on the feasible region. 

We write Q R { s) := J~ R ( s) x [0,re] m to denote the space where the decision variables reside, i.e. 
(x, y) e G r ( s). Given any demands s, we write OPT^(s) to denote the optimal objective value of 
the convex program and OPT(s) to be the optimal objective value when x £ T{ s). Note that we 
always have OPT^s) < OPT(s) 

Our goal is to first compute an approximately optimal solution to the relaxed convex program, 
and then round the resulting fractional solution to be integral. We then show that the final solution 
is an approximately optimal flow to the original instance T. 


( 12 ) 

(13) 
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4.1 The JDP Gradient Descent Algorithm 

We will work extensively with the Lagrangian of our problem. For each constraint of (13), we 
introduce a dual variable A e . The Lagrangian is then 

£(x, y, A) = c(y) - ^ A e ( ^ x i>e - y e 

e£E V i 

Since our convex program satisfies Slater’s condition Slater (1959), we know that strong duality 
holds: 



max min £(x, y, A) 

AeR m (x,y)eS«(s) 


min max £(x, y, A) = OPT' R (s). 

(x,y)eQ R (.s) AeR m 


(14) 


We will interpret the Lagrangian objective as the payoff function of a zero-sum game between 
the minimization player, who plays flows z = (x, y), and the maximization player, who plays dual 
variables A. We will abuse notation and write jC(z, A) = £(x, y, A). We refer to the game defined 
by this payoff matrix the Lagrangian game. We will privately compute an approximate equilibrium 
of the Lagrangian game by simulating repeated plays between the two players. In each step, the 
dual player will play an approximate best response to the flow player’s strategy. The flow player 
will update his flow using a no-regret algorithm. 

In particular, the flow player uses an online gradient descent algorithm to produce a se¬ 
quence of T actions {z^ 1 ),... , z^ T )} based on the loss functions given by the dual player’s actions 
{A^ 1 ),..., A^)}. At each round t = 1,..., T, the flow player will update both x® and yW using 
the projected gradient update step GD in Algorithm 4. 


Algorithm 4 Gradient Descent with Projection 

Input: Convex feasible domain T>, a convex function r, some u € T>, and learning parameter r/. 
Output: Some new c J € V. 
procedure GD(D, r, u, rj) 

We define the projection map ILp as 

ILp(r/) = argminllu — r/IL 

vGT> 


We then set 

uJ <— ILd(cu — 7 ?Vr(cj)) 

return u/ 
end procedure 


In order to reason about how quickly the projected gradient procedure converges to an approx¬ 
imately optimal flow, we need to bound the diameter of the space of dual solutions. We will also 
need to argue that bounding the space of feasible dual solutions does not affect the value of the 
game. Specifically, we will bound the dual players’ action to the set 

B = {A g M m | ||A||i < 2m}, (15) 

Then fixing a flow played by the primal player, the dual player’s best response is simply to select 
an edge e where the constraint (13) is most violated and set = ±2 m. Notice that, since the 
constraints depend on the source/sink pairs, and we need to ensure joint differential privacy with 
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respect to this data, we must select the most violated constraint in a way that maintains privacy. 
Using a straightforward application of the DP exponential mechanism McSherry and Talwar (2007), 
we can obtain a constraint that is approximately the most violated. Since this step is standard, we 
defer the details to the appendix. 

From the repeated plays of the Lagrangian Game, we will obtain a fractional solution z = (x, y) 
to the convex program. Finally, we will round the fractional flow x to an integral solution x* for 
the original minimum-cost flow instance T = (G, £, s) using the rounding procedure PSRR proposed 
by Raghavan and Thompson (1987), given in Algorithm 5. The full procedure P-GD is given in 
Algorithm 6. 

Algorithm 5 Path Stripping and Randomized Rounding 

Input: A fractional flow solution x* £ J- R (si) for player i 
Output: An integral flow solution x,- £ J~(si) for player i 

procedure PSRR(x,) 

Let Aj = { Pj } be the set of (sj, s?)-paths in G 
for each path Pj do 

Let Wj = min{xj. e | e £ Pj} 
for each edge e € Pj do 
Let ^ "^2,6 tn j 

Sample a path P from A,, such that P [P = Pj] = Wj 
for each edge e € E do 

Let Xi te = I[e £ P] 

return x; 

end procedure 


4.2 Privacy of the JDP Gradient Descent Algorithm 

We will use Lemma 3.8 (the billboard lemma ) to prove that P-GD satisfies joint differential privacy. 
We first show that the sequence of plays by the dual player satisfies standard differential privacy. 

Lemma 4.1. The sequence {\ {t) }J =1 in P-GD(T,e,5, (3) satisfies (e, 6)-differential privacy in the 
reported types s of the players. 

Proof. At each iteration of the main for-loop, we use the exponential mechanism with quality score 
q to find which edge e has the most violated constraint in (13). By Lemma A.5, each tuple 3 
(•(*), e(*) )is ^'-differentially private. Note that the dual strategy A^ is simply a post-processing 
function of the tuple (•h),e^), and by Lemma A.l, we know that A^ is e'-differentially private. 
By the composition theorem for differential privacy (Lemma A. 8 ), we know that the sequence of 
the dual plays A^ satisfies (e, ^-differential privacy, with the assignment of s' in P-GD. 

□ 


We are now ready to show that our algorithm satisfies joint differential privacy. 

Theorem 4.2. P-GD(T,£,5, (3) given in Algorithm 6 is ( £,5)-jointly differentially private. 

Proof. In order to establish joint differential privacy using the Billboard Lemma (Lemma 3.8), we 
just need to show that the output solution {x*} for each player i is just a function of the dual plays 
{A^} and i’s private data. 

3 Recall that • £ {+, —} indicating whether Xi, e > y e or Xi, e < y e 
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Algorithm 6 Computing Approximately Optimal Flow via JDP Gradient Descent 

Input: Routing Game F = (G,£, s); privacy parameters (e,<5); failure probability f3 
Output: x*, a Si = (sj, sf) flow for each player i G [n] 
procedure P-GD(r, e, 5, (3) 

Define the following quantities: 


0 


eri\ m 


log {mn/P) y/\og{\/8) 

G 


4— e/ \J8T ln(l/h) rj y 


D„ 


D, 


g v Vt 


Vx 


G x Vt 


y -T- y/{m- 1)(7 + l) 2 + (t + 1 + 2m) 2 D y ny/m 
G x g- 2my/n D x G- \Jmn 


Initialize: yW € [0,n] m and x^ € J rR (s). Let z^ 1 ) g- (xW,yW) 
Define the quality score q:Q{ s) x ((+,—) x E) —)• R: 


/e(z) ~ Ve 9 (z, (+,e)) ^ +/e(z) q(z,(-,e))i -/ e (z). 

i 


for t = 1 , • ■ • , T do 

Let (#(*), e^) G- M. e (s, q,e') (The Exponential Mechanism) 
Approximate best-response for the dual player A^: 

if #(*) = -f then A^ t) < - 2m 

else A^ t) < —f2m 

for e' G E \ {e^} do A = 0 

Gradient descent update on the primal: 

Take a step to improve the individual flow variables x (f b 

x (i+1) <- GD(^(s), £(•, yW, A«), xW , Vx ) 

Take a step to improve the congestion variables yh': 

y (m) ^ gD([ 0, n] m , £(x«,AW), y «, 

Let zh+L = (xh +1 ), y^ +1 )) be the new action for the primal player. 

x = y Ylt= 1 x * an d A = if; Y^t =1 ^ 

for each player i do round the fractional flow: x* G- PSRR(xj) 
return x* = (x*) ie[n] 

end procedure 
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Note that initially, each player i simply sets x- 1 to be a feasible flow in the set which 

only depends on V s private data. 

Then at each round t, the algorithm updates the vector using the gradient: 


V x £(x,yW,AW) = ((- 


eSLEJ i£[n] 


The gradient descent update for is 


x 


(t+1) _ TT 

- U.F b (s) 


X 


(*) 


= arg mm 
xeJ rii (s) 


~ Vx(^)ie[n\ 
x- (x (f) -rj x { A (t) ) ie[n] ) 


2 

2 


= arg min > > 

XGJ fl (s) rA* ' 
y iE\n] \e€E 


Xi, 


- (x?l - TfeA^) 


Note that this update step can be decomposed into n individual updates over the players: 


(£+ 1 ) 

x ) 


arg min 
x£J fl (s j) 


E 

eeE 





2 

2 


Since such an update only depends on the private data of i and also the sequence of dual plays 
{A^}, we know that {x^} satisfies (e, 5)-joint differential privacy by the Billboard Lemma. 

Finally, the output integral solution x,; to each player i is simply a sample from the distribution 
induced by the average play of i: x. Therefore, we can conclude that releasing x, to each player i 
satisfies (e, <f)-joint differential privacy. 

□ 


4.3 Utility of the JDP Gradient Descent Algorithm 

We now establish the accuracy guarantee of the integral flow x* computed by the procedure P-GD. 
First, consider the average of the actions taken by both players over the T rounds of the algorithm 
P-GD: z = y Et =l z ^ an d A = Ip Et =l ■ R eca H that the minimax value of the Lagrangian game 
is defined as 


max min £(x, y, A) 
AeR m (x,y)e<J fl (s) 


min max £(x, y, A) = OPT^fs). 

(x.ylee^fs) AeR m 


(16) 


Thus, in order to show that z is a flow with nearly optimal cost (i.e. cost not much larger than 
OPT-R(s)), suffices to show that (z, A) are a pair of “approximate minimax strategies”. That is, 
each player is guaranteeing itself a payoff that is close to the value of the game. Formally, (z, A) is 
a pair of 1Z-approximate minimax strategies if 


Vz', £(z, A) < £(z / , A) + TZ and VA ; , £(z, A) > C( z, A 7 ) — 1Z. 


Looking ahead, using the properties of gradient descent, we can show that (z, A) are a pair of 
^-approximate minimax strategies for a bound 1Z that will grow with the norm of the dual player’s 
actions, i.e. || A^ ! H 2 - Thus, in P-GD, the dual player’s action is chosen to have bounded norm (at 
most 2m), in order to ensure 1Z is relatively small. However, from (16) it’s not clear that the 
optimal dual strategy has small norm, so restricting the norm of the dual player’s actions might 
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change the value of the game. However, we show that restricting the norm of the dual player’s 
action does not change the value of the game. 

Let (z*, A*) be a pair of (exact) minimax strategies in the Lagrangian game. By strong duality, 
we know that 

£(z*, A*) = OPT fl (s) 

and z* is an optimal and feasible solution. We now reason about the restricted Lagrangian game, 
in which the dual player’s action is restricted to the space B = {A € | ||A||i < 2m} C M m . 

The next lemma states that even when the dual player’s actions are restricted, then z* is still a 
minimax strategy for the primal player. That is, the primal player cannot take advantage of the 
restriction on the dual player to obtain a higher payoff. 

Lemma 4.3. There exists a dual strategy \* B G B such that (z*,X* B ) is a pair of (exact) minimax 
strategies for the restricted Lagrangian game. 

Proof. Since z* is an (exact) minimax strategy for the (unrestricted) Lagrangian game, we know 
that for any A G B 

£(z*,A) = c(y*) = OPT ii (s). 

Let x' G F r (b) and y G [0,n] m be different flows such that x' / x* and y' / y*. We want to 
show that 

max£(x,y,A) > max£(z*,A) := £( z*,X B ). 

If we have y' e = X^=i x i e f° r e G £, then 

max£(x,y,A) = c(y) > c(y*). 

AGo 

Suppose there is some edge such that y' e / 'Y(a=\ x \ &■> then we define A := ||y' — X^=i x ill°o- 
With the cost function in terms of the individual flow variables in (4) we know that 

c(y) > 0(x) — — V A • i e (n) > 0(x) — m • A > c(y*) — m ■ A. 

e&E 

Note that the dual player can set A e = 2m for y" =] x' ie — y' e > 0 or A e = —2m for x' ie — y' e < 

0 for the maximally violated edge e: 

max£(x, y, A) = c(y) + 2m • A > c(y*) + -A(2m — m) > OPT' R (s). 

A Go 

Therefore, any infeasible (x, y) would suffer loss at least OPT^(s) in the worst case over the dual 
strategy space. It follows that (z*,A*) is a minimax strategy. 

Since both players’ action spaces Q R { s) and B are compact, then there exists a minimax strategy 
(z*,Ag) of the restricted Lagrangian game. □ 

Using the previous lemma, we know that the value of the restricted game is the same 

Lemma 4.4. Let (z, A) be a pair of 1Z-approximate minimax strategy of the restricted Lagrangian 
game, and z = (x, y). Then the fractional solution x satisfies 

<Xx) < OPT r (s) + 4K. 
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Proof. We will first bound the constraint violation in (x, y). Let e! € argrnax ee e \ Yli x i,e ~ Ue\ be 
an edge where the constraint is violated the most, and let A = | Yli x i,e' ~ Ue'\- Consider the dual 
strategy A' € £> such that 



—2m 

2m 


if J2i x i,e' - Ve' > 0 

otherwise 


and A' e = 0 for all e^e'. Now compare the payoff values £(x, y, A) and £(x, y, A'). By the property 
of ^-approximate equilibrium and letting ((x*,y*), A*) be the exact equilibrium, we have 


OPT fl (s) -U = £(x*, y*, X*) — 1Z < £(x, y, A*) — 1Z 

< £(x, y, A) < £(x*,y*, A) + 1Z < OPT R (s) + 1Z 
=>- OPT i? (s) — 7Z< £(x, y, A) < OPT^(s) + TZ 


and 

£(x,y,A') < OPT R (s) + 21Z. 

Since (x, y) violates equality constraint on each edge by at most A, we know that 


: (y) > <^( x ) - \ 


e&E 


y! X i,e 


Ve 


■ 4 (n) > OPT^(s) - mA 


Also, the penalty incurred by X' is at least 


yy A e ( 2/e - X] Xi ’ e ) = 2m • A - 

eSE \ i / 


Therefore, we could bound 

£(x, y, A') > OPT fl (s) + m • A. 

It follows that A < 2 1Z/m. 

Next we will show the accuracy guarantee of x. Consider an all-zero strategy for the dual player 
X ", that is Ag = 0 for each e € E. We know such a deviation will not increase the payoff by more 
than 1Z: 

£(x, y, A") < £(x, y, A) + 72. < OPT R (s) + 2TZ, 
and also £(x, y,A") = c(y), so we must have 


c(y) < OPT fl (s) + 2TZ. 


Now we could give the accuracy guarantee for the cost of the individual flows x: 

<Xx) < c(y) + - V A • 4(n) < OPT^(s) + 21Z + 2(^/m) • m = OPT R (s) + An. 
n 

eeE 

This completes the proof of the lemma. □ 

The previous discussion shows that if (z, A) is a pair of approximate minimax strategies for the 
restricted Lagrangian game, then x represents an approximately optimal flow. In the remainder of 
this section, we show that (z, A) will be such a pair of strategies. To do so, we use a well known 
result of Freund and Schapire Freund and Schapire (1996), which states that if z and A have “low 
regret,” then they are a pair of approximate minimax strategies. “Regret” is defined as follows. 
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Definition 4.5. Given a sequence of of actions {z^'} and {A^'} in the Lagrangian game, we define 
regret for each player as: 


A ( * } ) 


t =1 


- mjn -^^£(z,A W ) 

zeS(s) T ^ 


= max i ^ £(z (i) , A) - ^ ^ £(z (f) , A w ) 


t=i 


t=i 


Given this definition, the result of Freund and Schapire (1996) can be stated as follows. 

Theorem 4.6 (Freund and Schapire (1996)). //(z, A) is t/ie average of the primal and dual players’ 
actions in P-GD, then (z, A) is a pair of (IZ z + IZ\)-approximate minimax strategies of the restricted 
Lagrangian game. 

Given the previous theorem, our goal is now roughly to show that z and A have low regret. To 
do so, we need to analyze the regret properties of the gradient descent procedure, as well as the 
additional regret incurred by the noise added to ensure joint differential privacy. 

Specifically, the gradient descent procedure GD satisfies the following regret bound. 

Lemma 4.7 (Zinkevich (2003)). Fix the number of steps T £ N. Let V be a convex and closed set 
with bounded diameter, i.e. for every u,u>' £ T >, 


||w — u/|| 2 < D. 

Let r 1 ,... ,r T be a sequence of differentiable, convex functions with bounded gradients, i.e. for every 
step t £ [T\, 

||Vr*|| 2 < G. 

Let rj = and u>° £ V be arbitrary. Then if we compute cj 1 , ..., u T £ V according to the rule 
u: t+1 4— GD(fD, r*, w 4 , rf ), the sequence {w 1 ,..., cu T } satisfies 


f T 

— min < > r l 
uj&V ^ 

U=i 

We can now use this regret bound for GD to give a regret bound for the private gradient descent 
procedure P-GD. 

Lemma 4.8. Fix £,5,(5 > 0. If (z, A) is the average of the primal and dual players’ actions in 
P-GD(T, e, 5, (5), then with probability at least 1 — (5, (z, A) are a pair of IZ-approximate minimax 
strategies in the restricted Lagrangian game, for 


T 

R t (GD ) := ^V(<y) 

t =l 


( w ) \ < gdVt 


(17) 


n = o 



Proof. In light of Theorem 4.6, we know IZ = IZ z + IZ\, so we just need to bound the regrets for 
both players. For the flow player z, we will bound the regrets of x and y separately by invoking 
the regret bound of Zinkevich (2003) given in Lemma 4.7. 

We define G y such that \/t £ [T] we have ||V y £(z, AW )||2 < G y and D y such that Vy, y' £ [0, n] m 
we have ||y — y'|| 2 < D y . We define corresponding quantities for G x and D x . It suffices to set these 
values in the following way: 

G y := sj{m — l)(q + l ) 2 + (7 + 1 + 2m) 2 D y := ny/rn 
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G x := 2 my/n D x := \Jmn 
Using (17) we have the following bound on the regret . 

< 1/n/T (G y • D y + G x • D x ) 


< 


ri\ m 


Vt 


m(7 + l) 2 + (7 + 1 + 2m) 2 + 2m^ 


= O 

with the following step sizes: 


nm 


3/2' 


Vr 


% : = 


Dr 


Dy 

Vy ■ = 


( 18 ) 


(19) 


G X VT '' y ' G y VT 

Now we bound the regret for the dual player. Note that each agent could only affect the quality 
score q of each edge by 1. By the utility guarantee of the exponential mechanism stated in Lemma 
A .6 we know that with probability at least 1 — /3/T, at round t 


max 

(•,e)e{±}xE 


q( z W ,(«,e)) -q{ z W ,(* (f) ,e W ) 


< 


2(log(2 mT/f3)) 


( 20 ) 


We condition on this level of accuracy for each round t, which holds except with probability /3. 

Also, at each round t, a best response for the dual player is to put weight ± 2 m on the edge 
with the most violation, so we can bound the regret: 


^ = ™£( z W,A)-£(zW,aW) 


1 \ - 

< -^2m 
t =1 


2 (log (2 mT/P)) 


= 2m ■ 


2 (log (2 mT/P)) 


For T = 0 


- —.= ) we know that 

log(mn//3)y / log(l/(5) J 


1Z — 7^2 + 'T^\ — O 


nm 


3/2 


Vt 


+ 


m log(mT/ /3) VT log(l/5) \ 




= O -polylog(l/5,1 /P,n,m) 


n 


The previous lemma shows that the fractional solution has nearly optimal cost. The last thing 
we need to do is derive a bound on how much the rounding procedure PSRR increases the cost of 
the final integral solution. 

Lemma 4.9. Let x be any feasible fractional solution to the convex program (12), and letx.* be an 
integral solution obtained by the rounding procedure PSRR(x). Then, with probability at least 1 — fd, 

0 (x*) < 0 (x) + m (7 + 1 ) V^ n hi(m//3). 
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Proof. From the analysis of Raghavan and Thompson (1987) (in Theorem 3.1 of the source), we 
know that with probability at least 1 — (3, 


max 

e£E 


^ j % i,e ^ 'j 


< n In (m//3) = W. 
Finally, we could bound the difference between the costs </>(x*) and 0(x) 


<X x *) - <K x ) < 


n 


Y X i,e ‘ y e ^ X] X he ) \Y X i’ e ) ) + Yj W ' ( Y, X I< 


< — ■ (mnjW + mnW) = mW (7 + 1). 
n 


This completes the proof. 


□ 


Combining Lemma 4.8 and Lemma 4.9 we obtain our desired bound on the quality of the joint 
differentially private integral solution. 

Theorem 4.10. LetT = (G,£,s) be a routing game ancle, 8, /3 > 0 be parameters, //x* is the final 
integral solution given by P-GD(T, e, 5, ft), then with probability at least 1 — (3, the cost ofx * satisfies 


0 (x*) < OPT(s) + O 



i.e. x* is an a-approximate optimal flow for a 


O 


( y/nm 5 / 4 
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A Tools for Differential Privacy 


In this section we review the necessary privacy definitions and tools needed for our results. Through¬ 
out, let s = (si,... , s n ) € S n be a database consisting of n elements from a domain S. In keeping 
with our game theoretic applications, we refer to the elements si,... ,s n as types and each type 
belongs to a player i £ [n]. 

We first state a general lemmas about differential privacy. 

Lemma A.l (Post-Processing Dwork et al. (2006)). Given a mechanism M : S n —» O and some 
(possibly randomized) function p : O —>• O' that is independent of the players’ types s € S n , if M( s) 
is (e, 5)-differentially private then p(M( s)) is (e,S)-differentially private. 


A.l The Laplace Mechanism 

We will use the Laplace Mechanism, which was introduced by Dwork et al Dwork et al. (2006) to 
answers a vector-valued query / : S n —>• R fc . 

The Laplace Mechanism depends on the notation of sensitivity —how much a function can 
change when a single entry in its input is altered. 

Definition A.2 (Sensitivity). The sensitivity A / of a function / : S n —>• M fc is defined as 


A /= u ma ;X {||/(s i ,s_ i )-/(4s-i)||i}- 

ie[n],(si,s_i)G5 n ,s<e5 


Algorithm 7 Laplace Mechanism Dwork et al. (2006) 


Input: : Database s S S n , query / : S n —>• M fc , and privacy parameter e. 
procedure Ml(s, /, e) 

Set a = /(s) + Z Z = (Z\, • • • , Zffj and Z. L ~ Lap(A//e) 

return a. 
end procedure 


Lemma A.3 (Dwork et al. (2006)). The Laplace Mechanism Ml is e -differentially private. 

Lemma A.4 (Dwork et al. (2006)). The Laplace Mechanism Ml(s, f,s) produces output a such 
that with probability at least 1 — (3 we have 

ll/W - aiu < log (1) (^) 

A.2 The Exponential Mechanism 

We now present an algorithm introduced by McSherry and Talwar (2007) that is differentially 
private called the exponential mechanism. Let us assume that we have some finite outcome space 
O and a quality score q : S n x O —>• R that tells us how good the outcome o € O is with the given 
database s € S n . We define the sensitivity of q as the maximum over o € O of the sensitivity of 
q(-',o). Specifically, 

A q= max {|q(s, o) — q(s', o)|} for neighboring s, s' 

o£ £>,s,s' £ S n 


30 





Algorithm 8 Exponential Mechanism McSherry and Talwar (2007) 

Input: : Database s S S n , quality function q : S n xO->l, and privacy parameter e. 
procedure Me(s, q, e) 

Output o£0 with probability proportional to 


exp 


V 2 Ag ) 


end procedure 


Lemma A. 5 (McSherry and Talwar (2007)). The Exponential Mechanism Me is £-differentially 
private. 

We then define the highest possible quality score with database d to be OPT q { s) = max oe o{<7(s, o)}. 
We then obtain the following proposition that tells us how close we are to the optimal quality score. 

Lemma A.6 (McSherry and Talwar (2007)). We have the following utility guarantee from the 
Exponential Mechanism Me-' with probability at least 1 — fd and every t > 0, 

q( s, M e { s , q, e)) > OPTffs) - ‘ 2 ^j- (log |0| + t) 


A.3 Composition Theorems 

Now that we have given a few differentially private algorithms, we want to show that differentially 
private algorithms can compose “nicely” to get other differentially private algorithms. We will need 
to use two composition theorems later in this paper. The first shows that the privacy parameters 
add when we compose two differentially private mechanisms, and the second from Dwork et al. 
(2010) gives a better composition guarantee when using many adaptively chosen mechanisms. 

Lemma A. 7. If we have one mechanism : S n —» O that is (ei,Si)-differentially private, and 
another mechanism M 2 : 5” x O —»• R is (£ 2 , 62 )-differentially private in its first component, then 
M : S n —> R is (ei + £ 2 , <5i + 62 ) differentially private where 

M(s) = M 2 (s,M 1 (s)). 


If we were to only consider the previous composition theorem, then the composition of m 
mechanisms that are e-differentially private mechanisms would lead to a me-differentially private 
mechanism. However, the next theorem says that we can actually get (e', ^-differential privacy 
where £' = 0(ffm£) if we allow for a small 5 > 0. This theorem also holds under the threat of an 
adversary that uses an adaptively chosen sequence of differentially private mechanisms so that each 
can use the outputs of the past mechanisms and different datasets that may or may not include an 
individual’s data. See Dwork et al. (2010) for further details. 

Lemma A.8 (m-Fold Adaptive Composition Dwork et al. (2010)). Fix 5 > 0. The class of (e',5') 
differentially private mechanisms satisfies (e, m5' + 5) differential privacy under m-fold adaptive 
composition for 

P S — 

Sm log(l/5) 
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We also include a proof of Lemma 3.3, the composition of a differentially private algorithm with 
another joint differentially private algorithm is differentially private. 

Proof of Lemma 3.3. Let S C O, i € [n], and consider data s € S" and s' = (s(, s_j) for s' e S. 
We have 


1 [M(s) g S] = [ P [Md(x) g 5] ■ P [Afj(s) = x] dx 
Jx n 

[ P[M D (xj,x_j) G 5] -P[Mj(s) = x]dx, 
Jx 


lx ™- 1 


dx_i 


We then use the fact that, since Mo satisfies e/)-differential privacy, we know that for any fixed 
€ X, it holds that P [Mo(j)i,x_i) € 5] < min{e ££> -P x_j) € 5] , 1}. We let .P x / x _. denote 

the RHS of this inequality. 


1 [M(s) € 5] < 


i x ™- 1 


lx 


■ F = x ] dxi 


dx_j 


f ■ F [Afj(s)_i = x_i] dx_* 

JX 71 - 1 


Now we use the fact that, since Mj satisfies (ej, d)-joint differential privacy, we have the inequality 
P [Mj(s)-i = x_j] < e £j • P [Mj(s')_j = x_»] + S = (J x e £j • P [Mj(s') = x] dxf) + 6. 


P [M(s) € S] < 


P, 


ix n ~ 1 


ix 


e £j ■ P [Mj(s') = x] dxi + d 


dx_i 


< e £j 


• I Px'.^-i ■ [ F [Mj(s') = x] dxj dx_j + 5 ■ [ 

Jx”-- 1 1 L/A? J .7A 


dx_, + 6 ■ / P x i „.dx.-i 
>X n -i 1 


Using our definition of P x j X ( (using the hrst term in the min for the first term above and the 
second term of the min for the second term above) we can simplify as follows. 


P [M(s) € S] < e £D+£j ■ [ P [MoOr', x_i) G 5] P [Mj(s') = x] dx + d 

Jx n 

Again we can apply the fact that, since Mo is ^-differentially private, for every Xi € X, we have 
that P [Mfl(^,x_j) G 5] < e £D ■ P [Md(x) € 5]. 


P [M(s) € S] < e 2 ^ 5 - 7 • [ P [Mfl(x) € S'] P [Mj(s') = x] dx + d 

Jx n 

= e 2£D+£j • P [M(s') € S] + d 

Since this bound holds for every neighboring pair s, s', we have proven the lemma. □ 


B Bounding the Number of Unsatisfied Players 

We seek to bound the number of players that are approximately unsatisfied w.r.t. congestion y in 
the approximately optimal flow x* under the routing game r r , where y is the perturbed version 
of congestion y* = First, we give a way to bound the number of unsatisfied players for 

any approximately optimal flow in the routing game T 7 " = (G,£ + r*,s) that uses the functional 
marginal-cost tolls r*(-) given in (6). 
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Lemma B.l. Let p > 0 and x* be an a-approximately optimal flow in the routing game T. Then 
the number of Ci(p) -unsatisfied players in T r * with respect to congestion y* = YW/=i x i bounded 
by na/p where 

Ci(p) = p + 4mnya/p 


Proof. Let x be any flow in ^(s). Consider the following p-best response dynamics: while there 
exists some p-unsatisfied agent i (w.r.t. the true congestion ^Nxj), let i make a deviation that 
decreases her cost the most. Recall that we write OPT(s) as the optimal value for the routing 
game T. Note that in the tolled routing game T r , the potential function 'k given in (7) satisfies 
'k(x) = n • 0(x). 

Note that x* is an a-approximately optimal flow, so 

OPT(s) < - • 'k(x’) < OPT(s) + a. 

n 

Since each deviation a player made in the dynamics decreases the potential function ’k(x) by 
at least p, p-best response dynamics in game T T starting with flow x* will terminate after at most 
na/p iterations. The resulting flow x has all agents p-satisfied. In the process, the congestion of 
each edge might have increased or decreased by at most na/p. For each edge e € E, the change in 
latency is bounded using our y-Lipschitz condition 

I4(y e ) -4(?/e)l < n'ya/p. 

Furthermore, the edge toll is also y-Lipschitz 

\<{Ve) ~ T*M) | = | (2/ e - l)(4(Ve) ~ l{Ve ~ 1)) ~ We ~ 1)(4 We) ~ ?We ~ 1))| 

< tI( 2/e - 1) - We ~ !)l < n^a/p. 

For the agents that did not deviate in the dynamics, their cost is changed by at most 2mnya/p. 
Since they are p-satisfied at the end of the dynamics, this means they were (p + 4myna/p)-satisfied 
in the beginning of the process. 4 Since the p-best response dynamics lasts for na/p rounds, there 
are at most na/p number of agents that deviate in the dynamics. □ 

Based on Lemma B.l, we can now bound the number of approximately unsatisfied players when 
we impose constant tolls t' = r*(y*) instead of functional tolls on the edges. 

Lemma B.2. Let p > 0, x* be an a-approximately optimal flow in the routing game T, and 
T ' = r *(Ei x *) vector of constant tolls. Then, the number of C 2 [p)-unsatisfied players with 

respect to y* = routing game r r is bounded by na/p, where 

C 2 W = p + 4myna/p + 2my. 

Proof. Let player i be a Ci(p)-satisfied player in flow x* under the routing game r T . Now we argue 
that he should also be C 2 (p)-satisfied under the game r r . Suppose not. Then there exists a route 
x) for player i that can decrease the cost by more than £2 (p) under r r . Now consider the same 
deviation in game r r *. Since the functional toll on each edge can change by at most y, we know 
that player V s costs in r r and r r differ by at most 2my. This implies that the deviation x^ in 
game r r * could gain him more than Ci(p) since Clip) ~ Ci(/°) = 2my. 

4 While the same path agent i is taking might have cost lowered by 2myna/p in the dynamics, any alternate 
(si, ti)-path might have increased its cost by 2myna/p. 
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From Lemma B.l, we know that the number of (j (/^-unsatisfied players under the routing game 
r r is bounded by na/p. Therefore, we know that the number of C2 (/^-unsatisfied players under 
r r is also bounded by na/p. □ 

Combining the previous two lemmas, we could now bound the number of unsatisfied players in 
r r with respect to y = x i with the differentially private constant tolls f. 

Lemma B.3. Let p,£ > 0 and x* be an a-approximately optimal flow in the routing game T. Let 
t = r*(y) where y = P~CON(x*. e). Then with probability at least 1 — ft, the number of Ce(p)- 
unsatisfied players in T 1 " with respect to y* = Y^=\ x / bounded by a/p, where 

Ce(p) = C2 (p) + 4y m 2 log [vn/fl)/e. (21) 

Proof. From standard bounds on the tails of the Laplace distribution (Lemma A.4), we have the 
following except with probability /3: 


max 

e 


i 


2 m 

< -log 

£ 



We now condition on this level of accuracy. Since the toll function r*(-) is 7-Lipschitz and t' = 
r*(y*), we have 

l~ ,1 ^ 2m7 1 ( m \ 

max \r e -r e | < —— • log I — I = v e 

Therefore a player’s cost for taking the same route may increase by as much as 772,17. Further, the 
cost for an alternative route may decrease by at most the same amount. Thus, each of C2(p)-satisfied 
players under the flow x* in T T remain (£2 (p) + 277i2/ £ )-satisfied in game r T . By Lemma B.2, we 
know that the number of (^(/^-unsatisfied players in r r is bounded by na/p, so the number of 
(C2 (p) + 2772Z7 £ )-unsatisfied players in T r is bounded by na/p as well. □ 

We now consider what happens when instead of allowing players to best respond given the exact 
congestion y = Xi=i x *> we instead let them best respond given a private and perturbed version 
of the congestion. The following general lemma will be useful, which relates to unsatisfied players 
in two different congestions that are close. 

Lemma B.4. Let T be a routing game, andx be a flow inT. Let y andy' such that ||y —y^loo b. 
Then for any number ( > 0, the set of (/-satisfied players in x with respect to y are also (/'-satisfied 
with respect to y' , where 

(' = (/ + 277776. 


Proof. The proof follows from the same analysis in the proof of Lemma B.3 □ 

From the analysis of Lemma B.3, we know that ||y — y*||oo < 77 • log (^, so by instantiating 
Lemma B.3 with p = 2 ^/myna and combining with the result of Lemma B.4, we recover the bound 
in Lemma 3.6, that is the number of Ce-imsatisfied players w.r.t. congestion y in x* and game T 7 " 
is bounded by ^/na/Amy with 


= Ay/myna + 87 m 2 log [m/fl)/£. 
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